* rest client (#6)

* guix: Add guix-verify script

* guix-attest: Only use cross-platform flags for find+xargs

* guix-attest: Use ascii-armor signatures

* guix-attest: Allow skipping GPG signing with NO_SIGN

* guix: Minor quoting fix in libexec/build.sh

* guix: Construct $OUTDIR in ${DISTSRC}/output

While files are being output to $OUTDIR, it will be under
${DISTSRC}/output, and only when everything is done, will
${DISTSRC}/output be moved to the actual $OUTDIR.

This makes it so that a Ctrl-C in the middle of a build is less likely
to result in a partially-constructed $OUTDIR. In fact, if I understand
correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the
move (rename) is likely atomic.

Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be
cleaned properly by the guix-clean script.

* guix: Attest to inputs in inputs.SHA256SUMS

At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.

Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20  inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21  bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327  bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz

* guix: Skip attesting to dist-archive

We already attest to the relevant dist-archive in inputs.SHA256SUMS,
which is recorded at build-time.

We use a SKIPATTEST.TAG file to indicate output directories which do not
require attestation (much like the CACHEDIR.TAG specification).
Generally, it's better to have build scripts declare properties of
directories instead of introducing name-based special cases in attest
scripts since build scripts have a more detailed context of what is
going on.

* guix: Consistently use gcc-8 for $HOST

* guix-attest: Avoid incomplete sigdirs with ERR traps

Sometimes GPG connects to the wrong agent... or you don't have your
smartcard handy...

* guix: install LIEF in Guix container

Co-authored-by: Carl Dong <contact@carldong.me>

* build: Makes rcc output always deterministic

The Qt Resource Compiler (rcc) has a command-line option
`--format-version` which has the default value 2.

The only difference from `--format-version 1` is adding a last modified
timestamp to the output file. That, in turn, forces us to use
`QT_RCC_SOURCE_DATE_OVERRIDE=1` to get deterministic builds.

This change makes rcc output always deterministic by using
`--format-version 1` option that makes usage of the
`QT_RCC_SOURCE_DATE_OVERRIDE` needless. Also it improves interaction
with ccache.

Co-authored-by: fanquake <fanquake@gmail.com>

* guix: Reindent existing manifest.scm

* guix: Package codesigning tools

* guix: Add codesigning functionality

* guix: repro: Sort find output in libtool for gcc-8

Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not
be reproducible and end up making the Bitcoin binaries non-reproducible
as well.

See: https://reproducible-builds.org/docs/archives/#gnu-libtool

* guix: Remove dest if OUTDIR mv fails

* guix: Check for disk space availability before building

* Use latest signapple commit

Update gitian and guix to use the same latest signapple commit

* Make SHA256SUMS fragment right after build

* Rewrite guix-{attest,verify} for new hier

* scripts: LIEF 0.11.5

* guix-attest: Error out if SHA256SUMS is unexpected

* guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64)

Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we
use 2.27.

Running a Bitcoin build with toolchains based on 2.24 for platforms
other than riscv64 seem to produce binaries which do not have 2.17
symbols. So use 2.24 since it's more recent and maintained by Debian
Stretch.

* guix: Build depends/qt with our platform definition

Our 'bitcoin-linux-g++' definition better integrates with our depends
system than the stock linux-g++-64 definition.

This fixes a bug whereby Guix builds on x86_64 for x86_64 did not
produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being
built.

* guix: Also sort SHA256SUMS.part

* guix: no-longer pass --enable-glibc-back-compat to Guix

Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV),
we no-longer need to pass the --enable-glibc-back-compat option.

Replace it with --disable-threadlocal, to prevent the usage of symbols
from glibc 2.18.

None of the binaries produced required symbols later than 2.17, and 2.27
(RISCV).

* guix: add additional documentation to patches

* Avoid GCC 7.1 ABI change warning in guix build

* guix: Patch binutils to add security-related disable flags

We use these flags in our test-security-check make target, but they are
only available because debian patches them in.

We can patch them in for our Guix builds so that we can check the sanity
of our security/symbol checking suite before running them.

* guix: Test security-check sanity before performing them

* guix: Check for a sane services database

On bare systems, it is possible to be lacking a services database. Check
for basic entries before attempting a build.

See the error message in the diff for more context.

* guix: Update various check_tools lists

* guix: Pin kernel header version

- Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support)
- Use 4.9 for all others (second-oldest LTS release, released in
  combination with glibc glibc 2.24 in Debian stretch)

* guix: Bump to version-1.3.0 from upstream

The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July
15th, 2021.

Also fix visual indenting.

* guix: Overhaul README

- Added detailed Guix bootstrap/installation instructions

* guix-attest: Produce and sign normalized documents

That way we can easily combine the document and detached signature to
produce cleartext signature files for upload during the release process.

See subsequent commits which modify doc/release-process.md for more
details.

* guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting

* guix/INSTALL: Guix installs init scripts in libdir

* guix: Silence getent(1) invocation

* guix/INSTALL: Misc fixups

* guix/build: Remove vestigial SKIPATTEST.TAG

* guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS

* guix: Allow changing the base manifest in guix-verify

When verifying guix attestations, it is useful to set a particular
signer's manifest as the base to compare against.

* Updated Readme, Corrected the codesign typo

* script, doc: guix touchups

* guix: Remove extra \r from all.SHA256SUMS line ending

guix-attest mistakenly added an extra \r to the line endings in
all.SHA256SUMS, causing guix-verify to erroneously fail.

Co-Authored-By: Carl Dong <contact@carldong.me>

* guix: Ensure EPOCH_SOURCE_DATE does not include GPG information

If the user has set log.showSignature=true in their git config, then the
git log will always output GPG signature information. Since git log is
used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature
information in it which causes issues for the build. To avoid this
issue, we override the config and force log.showSignature=false.

* release: Release with separate SHA256SUMS and sig files

This allows us to remove the rfc4880 EOL hacks and release with a
SHA256SUMS.asc file that's a combination of all signer signatures.

* guix-verify: Non-zero exit code when anything fails

Previously, if verification fails, the correct message will be printed,
but the exit code would still be 0.

* guix: Don't include directory name in SHA256SUMS

The SHA256SUMS file can be used in a sha256sum -c command to verify
downloaded binaries. However users are likely to download just a single
file and not place this file in the correct directory relative to the
SHA256SUMS file for the simple verification command to work. By not
including the directory name in the SHA256SUMS file, it will be easier
for users to verify downloaded binaries.

Co-authored-by: Carl Dong <contact@carldong.me>

* guix/prelude: Override VERSION with FORCE_VERSION

Previously, if the builder exported $VERSION in their environment (as
past Gitian-building docs told them to), but their HEAD does not
actually point to v$VERSION, their build outputs will differ from those
of other builders.

This is because the contrib/guix/guix-* scripts only ever act on the
current git worktree, and does not try to check out $VERSION if $VERSION
is set in the environment.

Setting $VERSION only makes the scripts pretend like the current
worktree is $VERSION.

This problem was seen in jonatack's attestation for all.SHA256SUMS,
where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone
else's.

Here is my deduced sequence of events:

1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to
   guix.sigs

2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest
   changes from master in the same worktree where he guix-built 22.0rc3
   and ends up at 7be143a

3. Aug 30th, sometime before POSIX time 1630315907: With his worktree
   still on 7be143a, he guix-codesigns. Normally, this would result
   in outputs going in guix-build-7be143a960e2, but he had
   VERSION=22.0rc3 in his environment, so the guix-* scripts pretended
   like he was building 22.0rc3, and used 22.0rc3's guix-build directory
   to locate un-codesigned outputs and dump codesigned ones.

   However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD
   (7be143a), which made all timestamps in the resulting codesigned
   DMG 1630310848, 7be143a's POSIX timestamp. This differs from the
   POSIX timestamp of 22.0rc3, which is 1630348517. Note that the
   windows codesigning procedure does not consider SOURCE_DATE_EPOCH.

We resolve this by only allowing VERSION overrides via the FORCE_VERSION
environment variable.

* build: set OSX_MIN_VERSION to 10.15

This is required to use std::filesystem on macOS as support for it only
landed in the libc++ dylib shipped with 10.15.

See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes

Clang now supports the C++17 <filesystem> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13.

* Enable TLS in links in documentation

* Integrate univalue into our buildsystem

This addresses issues like the one in bitcoin#12467, where some of our compiler flags
end up being dropped during the subconfigure of Univalue. Specifically, we're
still using the compiler-default c++ version rather than forcing c++17.

We can drop the need subconfigure completely in favor of a tighter build
integration, where the sources are listed separately from the build recipes,
so that they may be included directly by upstream projects. This is
similar to the way leveldb build integration works in Core.

Core benefits of this approach include:
- Better caching (for ex. ccache and autoconf)
- No need for a slow subconfigure
- Faster autoconf
- No more missing compile flags
- Compile only the objects needed

There are no benefits to Univalue itself that I can think of. These changes
should be a no-op there, and to downstreams as well until they take advantage
of the new sources.mk.

This also removes the option to use an external univalue to avoid similar ABI
issues with mystery binaries.

Co-authored-by: fanquake <fanquake@gmail.com>

* guix: Fix powerpc64(le) dynamic linker name

I used Guix's values for the powerpc64(le) dynamic linkers, and the
/lib-prefix seems to be a Guix-ism rather than standard. The standard
path for the linker-loaders start with /lib64.

I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in
glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file.

For future reference, loader path values can also be found on glibc's
website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16

* build: require glibc 2.18+ for release builds

From what I can see the only platform this drops support for is CentOS
7. CentOS 7 reached the end of it's "full update" support at the end of
2020. It does receive maintenance updates until 2024, however I don't
think supporting glibc 2.17 until 2024 is realistic. Note that anyone
wanting to self-compile and target a glibc 2.17 runtime could build with
--disable-threadlocal.

glibc 2.18 was released in August 2013.
https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html

* scripted-diff: Drop Darwin version for better maintainability

-BEGIN VERIFY SCRIPT-
sed -i 's/darwin19/darwin/g' $(git grep --files-with-matches 'darwin19')
-END VERIFY SCRIPT-

* test: Make more shell scripts verifiable by the `shellcheck` tool

* test: Bump shellcheck version to 0.8.0

* scripted-diff: Insert missed copyright headers

-BEGIN VERIFY SCRIPT-
./contrib/devtools/copyright_header.py insert contrib/guix/libexec/build.sh
./contrib/devtools/copyright_header.py insert contrib/guix/libexec/codesign.sh
./contrib/devtools/copyright_header.py insert contrib/tracing/log_raw_p2p_msgs.py
./contrib/devtools/copyright_header.py insert contrib/tracing/log_utxocache_flush.py
./contrib/devtools/copyright_header.py insert contrib/tracing/p2p_monitor.py
./contrib/devtools/copyright_header.py insert test/lint/lint-files.sh
-END VERIFY SCRIPT-

* build: use a static .tiff for macOS .dmg over generating

Co-authored-by: Pavol Rusnak <pavol@rusnak.io>

* guix: use GCC 10 (over GCC 8) to build releases

This currently points to the version-1.4.0 branch.

* guix: use uptream nsis-x86_64

Our patch is now used upstream.

* build: use python-asn1crypto from upstream

It is the exact same package definition.

* guix: use upstream python-requests (2.26.0)

Upstream python requests is now modern enough to be used as a dependency for
signapple. Which requires requests>=2.25.1.

* build: Point Guix to the current top of the "version-1.4.0" branch

* build: point to latest commit on the master branch

The version-1.4.0 branch no-longer exists, and will be branched off
master again shortly.

* guix: ignore additioanl failing certvalidator test

======================================================================
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
    validate_path(context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
    raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z

* build: Fix xargs warnings for Guix builds

* build: use macOS 11 SDK (Xcode 12.2)

This should be sufficient to support building for Apple ARM when
cross-compiling.

* guix: use autoconf 2.71

This allows for building with newer targets, like arm64-apple-darwin, due to
having a newer bundled config.guess and config.sub.

* guix: add arm64-apple-darwin triplet

* build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix

* build: Point Guix to recent commit on the master branch

* Replace "can not" with "cannot" in docs, user messages, and tests

* guix: use same commit for codesigning time-machine

The time machines should be updated in lockstep.

* build: Move guix time machine to prelude

This deduplicates some code, and enforces consistency of the time
machine configuration between scripts.

* guix: only use native GCC 7 toolchain for Linux builds

The macOS and Windows builds do not require a GCC 7 toolchain, and this
is actually causing build issues, i.e bitcoin#24211. So switch to using a GCC
10 native toolchain for both.

* guix: use latest upstream python-certvalidator

This should also allow re-enabling previously failing tests.

* guix: use latest upstream signapple

This should improve support for signing for M1 binaries.

* guix: Drop unneeded openssl dependency for signapple

* guix: use latest signapple

* guix: only check for the macOS SDK once

If we are building for both macOS HOSTS, there's no need to check and
print that the SDK exists two times.

* guix: Use $HOST instead of generic osx{64} for macOS artifacts

* guix: make it possible to override gpg binary

For example on Qubes OS one might want to use qubes-gpg-client-wrapper instead

* guix: Drop "-signed" suffix for signed macOS .dmg files

This change makes naming of the signed artifacts consistent across
different OSes, including Windows.

* guix: Use "win64" for Windows artifacts consistently

* Update signapple for platform identifier fix

* doc, guix: Include arm64-apple-darwin into codesigned archs

* guix: point to latest upstream commit

* Revert "build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix"

This reverts commit 7f2f35f.

* macdeploy: remove unused detached-sig-apply

Signature application is now done with signapple.

* guix: Drop code for the unsupported `i686-linux-gnu` host

Now GUIX build for the `i686-linux-gnu` host is broken, and there are no
plans to re-add it.

* contrib: use LIEF 0.12.0 for symbol and security checks

* build: Fix "ERR: Unsigned tarballs do not exist"

* guix: fix vmov alignment issues with gcc 10.3.0 & mingw-w64

This introduces a patch to our GCC (10.3.0) mingw-w64 compiler, in Guix, to make
it avoid using aligned vmov instructions. This works around a longstanding issue
in GCC, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54412, which was recently
discovered to be causing issues, see bitcoin#24726.

Note that distros like Debian are also patching around this issue, and that is
where this patch comes from. This would also explain why we haven't run into this
problem earlier, in development builds. See:
https://salsa.debian.org/mingw-w64-team/gcc-mingw-w64/-/blob/master/debian/patches/vmov-alignment.patch.

Fixes bitcoin#24726.
Alternative to bitcoin#24727.

See also:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939559

* build: don't compress macOS DMG

* guix: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues

This commit backports a patch to the GCC 10.3.0 we build for Windows
cross-compilation in Guix. The commit has been backported to the GCC
releases/gcc-10 branch, but hasn't yet made it into a release.

The patch corrects a regression from an earlier GCC commit, see:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=357c4350680bf29f0c7a115424e3da11c53b5582
and
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=074226d5aa86cd3de517014acfe34c7f69a2ccc7,
related to the way newer versions of mingw-w64 implement setjmp/longjmp.

Ultimately this was causing a crash for us when Windows users were
viewing the network traffic tab inside the GUI. After some period, long
enough that a buffer would need reallocating, a call into FreeTypes
gray_record_cell() would result in a call to ft_longjmp (longjmp), which
would then trigger a crash.

Fixes: bitcoin-core/gui#582.

See also:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e8d1ca7d2c344a411779892616c423e157f4aea8.
https://bugreports.qt.io/browse/QTBUG-93476.

* guix: Improve error message about missed macOS SDK

* guix: consolidate kernel headers to 5.15

Given no reason to use an older version of the kernel headers for the
non-RISCV linux builds, consolidate all Linux builds to 5.15.x.

Note that using older kernel headers isn't some sort of compatibility
"hack", and glibc explicitly recommends against doing so. See:
https://sourceware.org/glibc/wiki/FAQ#What_version_of_the_Linux_kernel_headers_should_be_used.3F.

* build: include bitcoin.conf in build outputs

copy over bitcoin.conf during the build process.
this means `contrib/devtools/gen-bitcoin-conf.sh` will need
to be run and the generated file committed during the release process.

this is the same process used for generating man pages for each release.

* guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681

There are two reasons to perform this bump:
* Fixes bitcoin#25082 by bumping to a commit that includes a fix for time-dependent unit
tests in libgit2 (f5fe0082abe4547f3fb9f29d8351473cfb3a387b).
* Gives us access to clang-toolchain-14 (14.0.3, 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681),
which is useful for the Guix portion of bitcoin#21778.

Note that with this bump:
Linux kernels headers update from 5.15.28 to 5.15.37.

* guix: compile glibc without -werror

Compiling glibc 2.24 and 2.27 with the new GCC 10 results in a number of new warnings,
i.e:
```bash
libc-tls.c: In function ‘__libc_setup_tls’:
libc-tls.c:208:30: error: array subscript 1 is outside the bounds of an interior zero-length array ‘struct dtv_slotinfo[0]’ [-Werror=zero-length-bounds]
  208 |   static_slotinfo.si.slotinfo[1].map = main_map;
      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
In file included from ../sysdeps/x86_64/ldsodefs.h:54,
                 from ../sysdeps/gnu/ldsodefs.h:46,
                 from ../sysdeps/unix/sysv/linux/ldsodefs.h:25,
                 from libc-tls.c:20:
../sysdeps/generic/ldsodefs.h:398:7: note: while referencing ‘slotinfo’
  398 |     } slotinfo[0];
      |       ^~~~~~~~
```

While we could try and backport all the patches required to fix these up, it would
currently seem easier to disable -Werror, which Guix uses by default when building
glibc.

* guix: adjust RISC-V __has_include() patch to work with GCC 10

The actual macro is __has_include(), not __has_include__(), using the
later would result in build failures when using GCC 10. i.e:
```bash
../sysdeps/unix/sysv/linux/riscv/flush-icache.c:24:5: warning: "__has_include__" is not defined, evaluates to 0 [-Wundef]
   24 | #if __has_include__ (<asm/syscalls.h>)
```

Looks like at least someone else has run into the same thing, see:
http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html.

See also:
https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html
https://clang.llvm.org/docs/LanguageExtensions.html#has-include

* guix: fix glibc 2.27 multiple definition warnings with GCC 10

* guix: use -fcommon when building glibc 2.24

GCC 10 started using -fno-common by default, which causes issues with
the powerpc builds using gibc 2.24. A patch was commited to glibc to fix
the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial
to backport, and was broken in at least one way, see the followup in
commit 7650321ce037302bfc2f026aa19e0213b8d02fe6.

For now, retain the legacy GCC behaviour by passing -fcommon when
building glibc 2.24.

https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html.
https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc
https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6

* guix: native GCC 10 toolchain for Linux builds

* guix: re-revert riscv execstack workaround

Now that we use GCC 10 for release builds, we no-longer need to
pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries.

This was originally removed in bitcoin#21036, but then re-added in bitcoin#21799, when
we reverted to using GCC 8.

* guix: use libtool 2.4.7

As of version 2.4.7, libtool now respects ARFLAGS, which we use, and has
changed the default ARFLAGS from cru to cr (which we also do, see
configure).

This eliminates spammy `ar` output such as:
```bash
  CXXLD    libunivalue.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  AR       libbitcoin_zmq.a
  AR       libbitcoin_consensus.a
  CXXLD    crypto/libbitcoin_crypto_base.la
  CXXLD    crypto/libbitcoin_crypto_sse41.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    crypto/libbitcoin_crypto_avx2.la
  CXXLD    crypto/libbitcoin_crypto_x86_shani.la
  CXXLD    leveldb/libleveldb.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    crc32c/libcrc32c.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    leveldb/libmemenv.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  AR       libbitcoin_cli.a
```

Libtool 2.4.7 release notes:
https://lists.gnu.org/archive/html/autotools-announce/2022-03/msg00000.html

* guix: remove explicit glibc stack protector disabling

While glibc 2.25 and newer *can* be built with stack-smashing-protection
enabled, it isn't used by default, and still isn't, as of glibc 2.35,
so I can't see a reason to explicitly disable it.

I'd also like to move in the direction of enabling, by default,
hardening options for the toolchains we build, so removing the explicit
disabling is a step in that direction.

Will be following up with some changes based on this PR.

* guix: parallelize LIEF build

* guix: remove usage of -Wl,-z,noexecstack for PPC64 HOST

The PPC64 ABI has a non-executable stack by default, and does not need a
GNU_STACK program header.

See also:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/include/asm/page_64.h#n92

* guix: use LIEF 0.12.1

* guix: patch LIEF to fix PPC64 NX default

This patches our LIEF build using the change merged upstream:
lief-project/LIEF#718.

This can be dropped the next time we update LIEF.

* guix: Map all guix store prefixes to /usr

Without ffile-prefix-map, the debug symbols will contain paths for the
guix store which will include the hashes of each package. However, the
hash for the same package will differ when on different architectures.
In order to be reproducible regardless of the architecture used to build
the package, map all guix store prefixes to something fixed, e.g. /usr.

* guix: Remove guix store paths from glibc

Without ffile-prefix-map, the debug symbols will contain paths for the
guix store which will include the hashes of each package. However, the
hash for the same package will differ when on different architectures.
In order to be reproducible regardless of the architecture used to build
the package, map all guix store prefixes to something fixed, e.g. /usr.

We might be able to drop this in favour of using --with-nonshared-cflags
when we being using newer versions of glibc.

* guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56

Our patch has been merged upstream, see
LRGH/elfesteem#3

* guix: patch gcc 10 with pthreads to remap guix store paths

* guix: Drop repetition of option's default value

* guix: enable SSP for RISC-V glibc (2.27)

Pass `--enable-stack-protector=all` when building the glibc used for the
RISC-V toolchain, to enable stack smashing protection on all functions,
in the glibc code.

* guix: pass enable-bind-now to glibc

Both glibcs we build support `--enable-bind-now`:
Disable lazy binding for installed shared objects and programs.
This provides additional security hardening because it enables full RELRO
and a read-only global offset table (GOT), at the cost of slightly
increased program load times.

See:
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html

* guix: enable hardening options in GCC Build

Pass `--enable-default-pie` and `--enable-default-ssp` when configuring
our GCCs. This achieves the following:

--enable-default-pie
	Turn on -fPIE and -pie by default.

--enable-default-ssp
	Turn on -fstack-protector-strong by default.

Note that this isn't a replacement for passing hardneing flags
ourselves, but introduces some redundency, and there isn't really a
reason to not build a more "hardenings enabled" toolchain by default.

See also:
https://gcc.gnu.org/install/configure.html

* guix: ignore additional failing certvalidator test

Similar to 8588591.

```bash
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
    validate_path(context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
    raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z
```

* guix: patch NSIS to remove .reloc sections from install stubs

With the release of binutils/ld 2.36, ld swapped to much improved
default settings when producing windows binaries with mingw-w64. One of
these changes was to stop stripping the .reloc section from binaries,
which is required for working ASLR.

.reloc section stripping is something we've accounted for previously,
see bitcoin#18702. The related upstream discussion is in this thread:
https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

When we switched to using a newer Guix time-machine in bitcoin#23778, we begun
using binutils 2.37 to produce releases. Since then, our windows
installer (produced with makensis) has not functioned correctly when run on
a Windows system with the "Force randomization for images (Mandatory ASLR)"
option enabled. Note that all of our other release binaries, which all
contain .reloc sections, function fine under the same option, so it
cannot be just the presence of a .reloc section that is the issue.

For now, restore makensis to it's pre-binutils-2.36 behaviour, which
fixes the produced installer. The underlying issue can be further
investigated in future.

* doc: minor updates to guix README

* build: include share/rpcauth in tarball & installer

Fixes bitcoin#19081.

* guix: use --build={arch}-guix-linux-gnu in cross toolchain

Technically we are always cross-compiling, so make that explicit.

Fixes: bitcoin#22458.

* guix: consistently use -ffile-prefix-map

Aside from being the newer, more comprehensive option, it's what we
claim to use in the patch docs, and everywhere else in guix.

* guix: use git-minimal over git

From the git-minimal package definition:
> The size of the closure of 'git-minimal' is two thirds that of 'git'.
> Its test suite runs slightly faster and most importantly it doesn't
> depend on packages that are expensive to build such as Subversion.

We don't need any fancy / additional git functionality above the basics,
so switch to git-minimal and save some CPU, while also pruning the
greater dependency graph.

```diff
-name: git
+name: git-minimal
 version: 2.37.3
 outputs:
-+ send-email: see Appendix H
-+ svn: see Appendix H
-+ credential-netrc: see Appendix H
-+ credential-libsecret: see Appendix H
-+ subtree: see Appendix H
-+ gui: see Appendix H
 + out: everything else
-systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux
-dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37 perl-authen-sasl@2.16 perl-cgi@4.52
-+ perl-io-socket-ssl@2.068 perl-net-smtp-ssl@1.04 perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11
-location: gnu/packages/version-control.scm:222:2
+systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux
+dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11
+location: gnu/packages/version-control.scm:608:2
 homepage: https://git-scm.com/
 license: GPL 2
 synopsis: Distributed version control system
```

* guix: Drop perl package

* Revert "guix: Build depends/qt with our platform definition"

This reverts commit dc4137a.

* MS: restclient start

* MS: bumped c++ version from 14 to 17

* only gitian build for linux x86_64 for now. We can add back aarch64 later when needed.

* Testing whether OSX SDK needs to updated for gitian building for c++17

* test if bitcoins last gitian-build method works with unigrid

* yaml format error

* updated darwin host file for py build gitian

* Update depends make to work with latest build

* update darwin builder for new gitian

* DOWNLOAD_RETRIES:=3 readded for curl

* linux host update gitian

* check in default depends

* upgrade dawrwin to 19

* use focal

* remove i686 windows gitian

* testing whether jammy has same compile error for osx cctools

* switch back to focal

* place guix in proper directory

* guix util file

* guix util file

* lief is failing on guix build. try a newer version

* change hash for lief

* try and downgrade lief

* lief hash

* update darwin to never xcode version and osx 10.15 minimum

* added missing native_clang depends

* test jammy build focal cannot find repos

* missing some jammy in build.py

* build with kinetic

* focal appears to be the only docker container that builds correctly

* test building with g++9 linux

* test if reverting to c++14 builds work

* upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds.

* use jammy for builds and test building with c++17 or 20 if available

* force c++17

* don't check clock_gettime by default

* docker still cannot find ubuntu jammy revert to focal

* fdelt is required

* aarch64 required to compile

* disable arm build

* test disable glib backward support

* darwin builds were missing libtapi. native_cdrkit replaced with xorriso.

* change order of native_libtapi

* libtapi and clang are split out of cctools

* darwin unable to find glibtoolize

* upgrading boost and remove references to specific darwin versions

* split boost into build/host

* boost fail build on linux

* define minimum required boost

* adding missing required boost libraries after updating boost version

* errors building with boost 1.73.0 revert back to 1.71.0

* wrong xcode version in darwin build

* up boost version to 1.73.0

* test building with boost 1.80.0

* remove unused dependency and set min boost version

* upgrading boost requires more refactoring

* test if building osx works with c++11

* c++11 build fails on the rest client test to see if c++17 resolves this error

* accidental edit of robin-hood submodule

* use 12.2 osx sdk

* use 12.2 osx sdk for gitian-builder

* proper cheksum of Xcode

* checksum was not correct

* remove downloaded sdk

* attempted build with boost 1.80

* revert to c++14 and downgrade boost

* configure.ac set c++14

* Ms restclient (#5)

* MS: Updated univalue lib to latest version. Fixed parsing of json from restclient

* ms: added -hport as an argument in for unigridd.

* ms: added mint class to handel values from hedgehog. did some cleanup.

* ms: fixed compilation error

* ms: rewrote the rest client so its now working and getting json data from hedgehog

* ms: removed auto keyword

* ms: changed return type to bool to check if data got tranferd as expected from hedgehog

* ms: reverted c++ version to 14 from 17

Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* set depends to build with c++11

* compile cc++ test update

* revert to old method of building boost that worked on OSX

* remove native_b2 ref

* remove native_cdrkit

* build ref for native_libtapi

* misisng endif

* try bitcoin boost build method

* errors compiling openssl with xcode 12.2 revert to 12.1

* test if old gitian build works with rest client update

* revert boost to old build

* reverting native cc tools build

* revert depends make to master

* missing cdrkit added

* cdrkit in wrong directory

* revert darwin host

* remove updated gitian build script from this branch. If we decide to stick with gitian this can be pulled from the EG_uposx_12_1 branch.

Co-authored-by: Carl Dong <contact@carldong.me>
Co-authored-by: fanquake <fanquake@gmail.com>
Co-authored-by: W. J. van der Laan <laanwj@protonmail.com>
Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Andrew Chow <achow101-github@achow101.com>
Co-authored-by: Pieter Wuille <pieter@wuille.net>
Co-authored-by: h <harshit_goyal333@outlook.com>
Co-authored-by: jonatack <jon@atack.com>
Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc>
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>
Co-authored-by: josibake <josibake@protonmail.com>
Co-authored-by: Stacie <staciewaleyko@gmail.com>
Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* refactor of masternode to gridnode. Init will check for masternode.conf and rename the file to gridnode.conf on startup.

* having issues with the ubuntu bionic installs. try with ubuntu jammy

* remove uneeded break as we are not looping through strings anymore

* increase GLIBC version for newer OS building

* A complete refactor of the repo, to update Unigrid's naming convention of gridnodes instead of masternodes.

* refactor additions for gridnodes vs masternodes

* spelling error Gridnodeconfig

* SPORK_20_UNDONKEY_MNREWARDS refactored :D

* set build environment to bionic for gitian

Co-authored-by: Carl Dong <contact@carldong.me>
Co-authored-by: fanquake <fanquake@gmail.com>
Co-authored-by: W. J. van der Laan <laanwj@protonmail.com>
Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Andrew Chow <achow101-github@achow101.com>
Co-authored-by: Pieter Wuille <pieter@wuille.net>
Co-authored-by: h <harshit_goyal333@outlook.com>
Co-authored-by: jonatack <jon@atack.com>
Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc>
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>
Co-authored-by: josibake <josibake@protonmail.com>
Co-authored-by: Stacie <staciewaleyko@gmail.com>
Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* try and downgrade lief

* lief hash

* update darwin to never xcode version and osx 10.15 minimum

* MS: Updated univalue lib to latest version. Fixed parsing of json from restclient

* added missing native_clang depends

* test jammy build focal cannot find repos

* missing some jammy in build.py

* build with kinetic

* ms: added -hport as an argument in for unigridd.

* focal appears to be the only docker container that builds correctly

* ms: added mint class to handel values from hedgehog. did some cleanup.

* test building with g++9 linux

* test if reverting to c++14 builds work

* upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds.

* ms: fixed compilation error

* use jammy for builds and test building with c++17 or 20 if available

* force c++17

* don't check clock_gettime by default

* docker still cannot find ubuntu jammy revert to focal

* fdelt is required

* aarch64 required to compile

* disable arm build

* test disable glib backward support

* darwin builds were missing libtapi. native_cdrkit replaced with xorriso.

* change order of native_libtapi

* libtapi and clang are split out of cctools

* darwin unable to find glibtoolize

* upgrading boost and remove references to specific darwin versions

* split boost into build/host

* boost fail build on linux

* define minimum required boost

* adding missing required boost libraries after updating boost version

* errors building with boost 1.73.0 revert back to 1.71.0

* wrong xcode version in darwin build

* up boost version to 1.73.0

* test building with boost 1.80.0

* remove unused dependency and set min boost version

* upgrading boost requires more refactoring

* ms: rewrote the rest client so its now working and getting json data from hedgehog

* test if building osx works with c++11

* c++11 build fails on the rest client test to see if c++17 resolves this error

* ms: removed auto keyword

* accidental edit of robin-hood submodule

* use 12.2 osx sdk

* use 12.2 osx sdk for gitian-builder

* proper cheksum of Xcode

* ms: changed return type to bool to check if data got tranferd as expected from hedgehog

* checksum was not correct

* remove downloaded sdk

* attempted build with boost 1.80

* ms: reverted c++ version to 14 from 17

* revert to c++14 and downgrade boost

* configure.ac set c++14

* ms: rest client done. started work on hadeling locking of tokens

* ms: blocks transactions from minted addresses

* ms: mint hedgehog supply

* Eg refactormasternode (#8)

* rest client (#6)

* guix: Add guix-verify script

* guix-attest: Only use cross-platform flags for find+xargs

* guix-attest: Use ascii-armor signatures

* guix-attest: Allow skipping GPG signing with NO_SIGN

* guix: Minor quoting fix in libexec/build.sh

* guix: Construct $OUTDIR in ${DISTSRC}/output

While files are being output to $OUTDIR, it will be under
${DISTSRC}/output, and only when everything is done, will
${DISTSRC}/output be moved to the actual $OUTDIR.

This makes it so that a Ctrl-C in the middle of a build is less likely
to result in a partially-constructed $OUTDIR. In fact, if I understand
correctly, if $OUTDIR and $DISTSRC reside on the same filesystem, the
move (rename) is likely atomic.

Also, since the "working $OUTDIR" is under ${DISTSRC}/output, it will be
cleaned properly by the guix-clean script.

* guix: Attest to inputs in inputs.SHA256SUMS

At build/codesigning-time, hash build inputs and output the digest to
${OUTDIR}/inputs.SHA256SUMS, which gets included in the final SHA256SUMS
constructed by guix-attest.

Example final SHA256SUMS:
ee832d2a35b7701bff581dea05a536118b118e3ad0a587a2855b6ee8cd6fba20  inputs/bitcoin-78199266af7b.tar.gz
ca765e70a0c12866dd63c0be228b675278a26329e5f8f5b5c52fd09200fedf21  bitcoin-78199266af7b-powerpc64le-linux-gnu-debug.tar.gz
dae95327d7f2c324e2728c4b73627be6cb2c0d2f2e5bea940d1d5e6463939327  bitcoin-78199266af7b-powerpc64le-linux-gnu.tar.gz

* guix: Skip attesting to dist-archive

We already attest to the relevant dist-archive in inputs.SHA256SUMS,
which is recorded at build-time.

We use a SKIPATTEST.TAG file to indicate output directories which do not
require attestation (much like the CACHEDIR.TAG specification).
Generally, it's better to have build scripts declare properties of
directories instead of introducing name-based special cases in attest
scripts since build scripts have a more detailed context of what is
going on.

* guix: Consistently use gcc-8 for $HOST

* guix-attest: Avoid incomplete sigdirs with ERR traps

Sometimes GPG connects to the wrong agent... or you don't have your
smartcard handy...

* guix: install LIEF in Guix container

Co-authored-by: Carl Dong <contact@carldong.me>

* build: Makes rcc output always deterministic

The Qt Resource Compiler (rcc) has a command-line option
`--format-version` which has the default value 2.

The only difference from `--format-version 1` is adding a last modified
timestamp to the output file. That, in turn, forces us to use
`QT_RCC_SOURCE_DATE_OVERRIDE=1` to get deterministic builds.

This change makes rcc output always deterministic by using
`--format-version 1` option that makes usage of the
`QT_RCC_SOURCE_DATE_OVERRIDE` needless. Also it improves interaction
with ccache.

Co-authored-by: fanquake <fanquake@gmail.com>

* guix: Reindent existing manifest.scm

* guix: Package codesigning tools

* guix: Add codesigning functionality

* guix: repro: Sort find output in libtool for gcc-8

Otherwise the resulting .a static libraries (e.g. libstdc++.a) will not
be reproducible and end up making the Bitcoin binaries non-reproducible
as well.

See: https://reproducible-builds.org/docs/archives/#gnu-libtool

* guix: Remove dest if OUTDIR mv fails

* guix: Check for disk space availability before building

* Use latest signapple commit

Update gitian and guix to use the same latest signapple commit

* Make SHA256SUMS fragment right after build

* Rewrite guix-{attest,verify} for new hier

* scripts: LIEF 0.11.5

* guix-attest: Error out if SHA256SUMS is unexpected

* guix: Rebase toolchain on glibc 2.24 (2.27 for riscv64)

Support for riscv64 in glibc landed in 2.27 so it's unavoidable that we
use 2.27.

Running a Bitcoin build with toolchains based on 2.24 for platforms
other than riscv64 seem to produce binaries which do not have 2.17
symbols. So use 2.24 since it's more recent and maintained by Debian
Stretch.

* guix: Build depends/qt with our platform definition

Our 'bitcoin-linux-g++' definition better integrates with our depends
system than the stock linux-g++-64 definition.

This fixes a bug whereby Guix builds on x86_64 for x86_64 did not
produce a QMinimalIntegrationPlugin and led to bitcoin-qt not being
built.

* guix: Also sort SHA256SUMS.part

* guix: no-longer pass --enable-glibc-back-compat to Guix

Now that our Guix builds are performed on glibc 2.24 and 2.27 (RISCV),
we no-longer need to pass the --enable-glibc-back-compat option.

Replace it with --disable-threadlocal, to prevent the usage of symbols
from glibc 2.18.

None of the binaries produced required symbols later than 2.17, and 2.27
(RISCV).

* guix: add additional documentation to patches

* Avoid GCC 7.1 ABI change warning in guix build

* guix: Patch binutils to add security-related disable flags

We use these flags in our test-security-check make target, but they are
only available because debian patches them in.

We can patch them in for our Guix builds so that we can check the sanity
of our security/symbol checking suite before running them.

* guix: Test security-check sanity before performing them

* guix: Check for a sane services database

On bare systems, it is possible to be lacking a services database. Check
for basic entries before attempting a build.

See the error message in the diff for more context.

* guix: Update various check_tools lists

* guix: Pin kernel header version

- Use 4.19 for riscv64 (earliest LTS release w/ riscv64 support)
- Use 4.9 for all others (second-oldest LTS release, released in
  combination with glibc glibc 2.24 in Debian stretch)

* guix: Bump to version-1.3.0 from upstream

The chosen commit is the HEAD of Guix's version-1.3.0 branch as of July
15th, 2021.

Also fix visual indenting.

* guix: Overhaul README

- Added detailed Guix bootstrap/installation instructions

* guix-attest: Produce and sign normalized documents

That way we can easily combine the document and detached signature to
produce cleartext signature files for upload during the release process.

See subsequent commits which modify doc/release-process.md for more
details.

* guix/INSTALL: Add coreutils/inotify-dir-recreate troubleshooting

* guix/INSTALL: Guix installs init scripts in libdir

* guix: Silence getent(1) invocation

* guix/INSTALL: Misc fixups

* guix/build: Remove vestigial SKIPATTEST.TAG

* guix: Make all.SHA256SUMS rather than codesigned.SHA256SUMS

* guix: Allow changing the base manifest in guix-verify

When verifying guix attestations, it is useful to set a particular
signer's manifest as the base to compare against.

* Updated Readme, Corrected the codesign typo

* script, doc: guix touchups

* guix: Remove extra \r from all.SHA256SUMS line ending

guix-attest mistakenly added an extra \r to the line endings in
all.SHA256SUMS, causing guix-verify to erroneously fail.

Co-Authored-By: Carl Dong <contact@carldong.me>

* guix: Ensure EPOCH_SOURCE_DATE does not include GPG information

If the user has set log.showSignature=true in their git config, then the
git log will always output GPG signature information. Since git log is
used to set EPOCH_SOURCE_DATE, this will mistakenly have GPG signature
information in it which causes issues for the build. To avoid this
issue, we override the config and force log.showSignature=false.

* release: Release with separate SHA256SUMS and sig files

This allows us to remove the rfc4880 EOL hacks and release with a
SHA256SUMS.asc file that's a combination of all signer signatures.

* guix-verify: Non-zero exit code when anything fails

Previously, if verification fails, the correct message will be printed,
but the exit code would still be 0.

* guix: Don't include directory name in SHA256SUMS

The SHA256SUMS file can be used in a sha256sum -c command to verify
downloaded binaries. However users are likely to download just a single
file and not place this file in the correct directory relative to the
SHA256SUMS file for the simple verification command to work. By not
including the directory name in the SHA256SUMS file, it will be easier
for users to verify downloaded binaries.

Co-authored-by: Carl Dong <contact@carldong.me>

* guix/prelude: Override VERSION with FORCE_VERSION

Previously, if the builder exported $VERSION in their environment (as
past Gitian-building docs told them to), but their HEAD does not
actually point to v$VERSION, their build outputs will differ from those
of other builders.

This is because the contrib/guix/guix-* scripts only ever act on the
current git worktree, and does not try to check out $VERSION if $VERSION
is set in the environment.

Setting $VERSION only makes the scripts pretend like the current
worktree is $VERSION.

This problem was seen in jonatack's attestation for all.SHA256SUMS,
where only his bitcoin-22.0rc3-osx-signed.dmg differed from everyone
else's.

Here is my deduced sequence of events:

1. Aug 27th: He guix-builds 22.0rc3 and uploads his attestations up to
   guix.sigs

2. Aug 30th, sometime after POSIX time 1630310848: he pulls the latest
   changes from master in the same worktree where he guix-built 22.0rc3
   and ends up at 7be143a960e2

3. Aug 30th, sometime before POSIX time 1630315907: With his worktree
   still on 7be143a960e2, he guix-codesigns. Normally, this would result
   in outputs going in guix-build-7be143a960e2, but he had
   VERSION=22.0rc3 in his environment, so the guix-* scripts pretended
   like he was building 22.0rc3, and used 22.0rc3's guix-build directory
   to locate un-codesigned outputs and dump codesigned ones.

   However, our SOURCE_DATE_EPOCH defaults to the POSIX time of HEAD
   (7be143a960e2), which made all timestamps in the resulting codesigned
   DMG 1630310848, 7be143a960e2's POSIX timestamp. This differs from the
   POSIX timestamp of 22.0rc3, which is 1630348517. Note that the
   windows codesigning procedure does not consider SOURCE_DATE_EPOCH.

We resolve this by only allowing VERSION overrides via the FORCE_VERSION
environment variable.

* build: set OSX_MIN_VERSION to 10.15

This is required to use std::filesystem on macOS as support for it only
landed in the libc++ dylib shipped with 10.15.

See also: https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes

Clang now supports the C++17 <filesystem> library for iOS 13, macOS 10.15, watchOS 6, and tvOS 13.

* Enable TLS in links in documentation

* Integrate univalue into our buildsystem

This addresses issues like the one in #12467, where some of our compiler flags
end up being dropped during the subconfigure of Univalue. Specifically, we're
still using the compiler-default c++ version rather than forcing c++17.

We can drop the need subconfigure completely in favor of a tighter build
integration, where the sources are listed separately from the build recipes,
so that they may be included directly by upstream projects. This is
similar to the way leveldb build integration works in Core.

Core benefits of this approach include:
- Better caching (for ex. ccache and autoconf)
- No need for a slow subconfigure
- Faster autoconf
- No more missing compile flags
- Compile only the objects needed

There are no benefits to Univalue itself that I can think of. These changes
should be a no-op there, and to downstreams as well until they take advantage
of the new sources.mk.

This also removes the option to use an external univalue to avoid similar ABI
issues with mystery binaries.

Co-authored-by: fanquake <fanquake@gmail.com>

* guix: Fix powerpc64(le) dynamic linker name

I used Guix's values for the powerpc64(le) dynamic linkers, and the
/lib-prefix seems to be a Guix-ism rather than standard. The standard
path for the linker-loaders start with /lib64.

I've taken the new loader values from SYSDEP_KNOWN_INTERPRETER_NAMES in
glibc's sysdeps/unix/sysv/linux/powerpc/ldconfig.h file.

For future reference, loader path values can also be found on glibc's
website: https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16

* build: require glibc 2.18+ for release builds

From what I can see the only platform this drops support for is CentOS
7. CentOS 7 reached the end of it's "full update" support at the end of
2020. It does receive maintenance updates until 2024, however I don't
think supporting glibc 2.17 until 2024 is realistic. Note that anyone
wanting to self-compile and target a glibc 2.17 runtime could build with
--disable-threadlocal.

glibc 2.18 was released in August 2013.
https://sourceware.org/legacy-ml/libc-alpha/2013-08/msg00160.html

* scripted-diff: Drop Darwin version for better maintainability

-BEGIN VERIFY SCRIPT-
sed -i 's/darwin19/darwin/g' $(git grep --files-with-matches 'darwin19')
-END VERIFY SCRIPT-

* test: Make more shell scripts verifiable by the `shellcheck` tool

* test: Bump shellcheck version to 0.8.0

* scripted-diff: Insert missed copyright headers

-BEGIN VERIFY SCRIPT-
./contrib/devtools/copyright_header.py insert contrib/guix/libexec/build.sh
./contrib/devtools/copyright_header.py insert contrib/guix/libexec/codesign.sh
./contrib/devtools/copyright_header.py insert contrib/tracing/log_raw_p2p_msgs.py
./contrib/devtools/copyright_header.py insert contrib/tracing/log_utxocache_flush.py
./contrib/devtools/copyright_header.py insert contrib/tracing/p2p_monitor.py
./contrib/devtools/copyright_header.py insert test/lint/lint-files.sh
-END VERIFY SCRIPT-

* build: use a static .tiff for macOS .dmg over generating

Co-authored-by: Pavol Rusnak <pavol@rusnak.io>

* guix: use GCC 10 (over GCC 8) to build releases

This currently points to the version-1.4.0 branch.

* guix: use uptream nsis-x86_64

Our patch is now used upstream.

* build: use python-asn1crypto from upstream

It is the exact same package definition.

* guix: use upstream python-requests (2.26.0)

Upstream python requests is now modern enough to be used as a dependency for
signapple. Which requires requests>=2.25.1.

* build: Point Guix to the current top of the "version-1.4.0" branch

* build: point to latest commit on the master branch

The version-1.4.0 branch no-longer exists, and will be branched off
master again shortly.

* guix: ignore additioanl failing certvalidator test

======================================================================
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
    validate_path(context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.e5bdb4b.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
    raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-01-14 12:00:00Z

* build: Fix xargs warnings for Guix builds

* build: use macOS 11 SDK (Xcode 12.2)

This should be sufficient to support building for Apple ARM when
cross-compiling.

* guix: use autoconf 2.71

This allows for building with newer targets, like arm64-apple-darwin, due to
having a newer bundled config.guess and config.sub.

* guix: add arm64-apple-darwin triplet

* build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix

* build: Point Guix to recent commit on the master branch

* Replace "can not" with "cannot" in docs, user messages, and tests

* guix: use same commit for codesigning time-machine

The time machines should be updated in lockstep.

* build: Move guix time machine to prelude

This deduplicates some code, and enforces consistency of the time
machine configuration between scripts.

* guix: only use native GCC 7 toolchain for Linux builds

The macOS and Windows builds do not require a GCC 7 toolchain, and this
is actually causing build issues, i.e #24211. So switch to using a GCC
10 native toolchain for both.

* guix: use latest upstream python-certvalidator

This should also allow re-enabling previously failing tests.

* guix: use latest upstream signapple

This should improve support for signing for M1 binaries.

* guix: Drop unneeded openssl dependency for signapple

* guix: use latest signapple

* guix: only check for the macOS SDK once

If we are building for both macOS HOSTS, there's no need to check and
print that the SDK exists two times.

* guix: Use $HOST instead of generic osx{64} for macOS artifacts

* guix: make it possible to override gpg binary

For example on Qubes OS one might want to use qubes-gpg-client-wrapper instead

* guix: Drop "-signed" suffix for signed macOS .dmg files

This change makes naming of the signed artifacts consistent across
different OSes, including Windows.

* guix: Use "win64" for Windows artifacts consistently

* Update signapple for platform identifier fix

* doc, guix: Include arm64-apple-darwin into codesigned archs

* guix: point to latest upstream commit

* Revert "build: Fix gcc-cross-x86_64-w64-mingw32-10.3.0 in Guix"

This reverts commit 7f2f35fe20c7706d547fa22a62521fe926f9c12b.

* macdeploy: remove unused detached-sig-apply

Signature application is now done with signapple.

* guix: Drop code for the unsupported `i686-linux-gnu` host

Now GUIX build for the `i686-linux-gnu` host is broken, and there are no
plans to re-add it.

* contrib: use LIEF 0.12.0 for symbol and security checks

* build: Fix "ERR: Unsigned tarballs do not exist"

* guix: fix vmov alignment issues with gcc 10.3.0 & mingw-w64

This introduces a patch to our GCC (10.3.0) mingw-w64 compiler, in Guix, to make
it avoid using aligned vmov instructions. This works around a longstanding issue
in GCC, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54412, which was recently
discovered to be causing issues, see #24726.

Note that distros like Debian are also patching around this issue, and that is
where this patch comes from. This would also explain why we haven't run into this
problem earlier, in development builds. See:
https://salsa.debian.org/mingw-w64-team/gcc-mingw-w64/-/blob/master/debian/patches/vmov-alignment.patch.

Fixes #24726.
Alternative to #24727.

See also:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939559

* build: don't compress macOS DMG

* guix: fix GCC 10.3.0 + mingw-w64 setjmp/longjmp issues

This commit backports a patch to the GCC 10.3.0 we build for Windows
cross-compilation in Guix. The commit has been backported to the GCC
releases/gcc-10 branch, but hasn't yet made it into a release.

The patch corrects a regression from an earlier GCC commit, see:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=357c4350680bf29f0c7a115424e3da11c53b5582
and
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=074226d5aa86cd3de517014acfe34c7f69a2ccc7,
related to the way newer versions of mingw-w64 implement setjmp/longjmp.

Ultimately this was causing a crash for us when Windows users were
viewing the network traffic tab inside the GUI. After some period, long
enough that a buffer would need reallocating, a call into FreeTypes
gray_record_cell() would result in a call to ft_longjmp (longjmp), which
would then trigger a crash.

Fixes: https://github.com/bitcoin-core/gui/issues/582.

See also:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=e8d1ca7d2c344a411779892616c423e157f4aea8.
https://bugreports.qt.io/browse/QTBUG-93476.

* guix: Improve error message about missed macOS SDK

* guix: consolidate kernel headers to 5.15

Given no reason to use an older version of the kernel headers for the
non-RISCV linux builds, consolidate all Linux builds to 5.15.x.

Note that using older kernel headers isn't some sort of compatibility
"hack", and glibc explicitly recommends against doing so. See:
https://sourceware.org/glibc/wiki/FAQ#What_version_of_the_Linux_kernel_headers_should_be_used.3F.

* build: include bitcoin.conf in build outputs

copy over bitcoin.conf during the build process.
this means `contrib/devtools/gen-bitcoin-conf.sh` will need
to be run and the generated file committed during the release process.

this is the same process used for generating man pages for each release.

* guix: bump time-machine to 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681

There are two reasons to perform this bump:
* Fixes #25082 by bumping to a commit that includes a fix for time-dependent unit
tests in libgit2 (f5fe0082abe4547f3fb9f29d8351473cfb3a387b).
* Gives us access to clang-toolchain-14 (14.0.3, 998eda3067c7d21e0d9bb3310d2f5a14b8f1c681),
which is useful for the Guix portion of #21778.

Note that with this bump:
Linux kernels headers update from 5.15.28 to 5.15.37.

* guix: compile glibc without -werror

Compiling glibc 2.24 and 2.27 with the new GCC 10 results in a number of new warnings,
i.e:
```bash
libc-tls.c: In function ‘__libc_setup_tls’:
libc-tls.c:208:30: error: array subscript 1 is outside the bounds of an interior zero-length array ‘struct dtv_slotinfo[0]’ [-Werror=zero-length-bounds]
  208 |   static_slotinfo.si.slotinfo[1].map = main_map;
      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
In file included from ../sysdeps/x86_64/ldsodefs.h:54,
                 from ../sysdeps/gnu/ldsodefs.h:46,
                 from ../sysdeps/unix/sysv/linux/ldsodefs.h:25,
                 from libc-tls.c:20:
../sysdeps/generic/ldsodefs.h:398:7: note: while referencing ‘slotinfo’
  398 |     } slotinfo[0];
      |       ^~~~~~~~
```

While we could try and backport all the patches required to fix these up, it would
currently seem easier to disable -Werror, which Guix uses by default when building
glibc.

* guix: adjust RISC-V __has_include() patch to work with GCC 10

The actual macro is __has_include(), not __has_include__(), using the
later would result in build failures when using GCC 10. i.e:
```bash
../sysdeps/unix/sysv/linux/riscv/flush-icache.c:24:5: warning: "__has_include__" is not defined, evaluates to 0 [-Wundef]
   24 | #if __has_include__ (<asm/syscalls.h>)
```

Looks like at least someone else has run into the same thing, see:
http://lists.busybox.net/pipermail/buildroot/2020-July/590376.html.

See also:
https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html
https://clang.llvm.org/docs/LanguageExtensions.html#has-include

* guix: fix glibc 2.27 multiple definition warnings with GCC 10

* guix: use -fcommon when building glibc 2.24

GCC 10 started using -fno-common by default, which causes issues with
the powerpc builds using gibc 2.24. A patch was commited to glibc to fix
the issue, 18363b4f010da9ba459b13310b113ac0647c2fcc but is non-trvial
to backport, and was broken in at least one way, see the followup in
commit 7650321ce037302bfc2f026aa19e0213b8d02fe6.

For now, retain the legacy GCC behaviour by passing -fcommon when
building glibc 2.24.

https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html.
https://sourceware.org/git/?p=glibc.git;a=commit;h=18363b4f010da9ba459b13310b113ac0647c2fcc
https://sourceware.org/git/?p=glibc.git;a=commit;h=7650321ce037302bfc2f026aa19e0213b8d02fe6

* guix: native GCC 10 toolchain for Linux builds

* guix: re-revert riscv execstack workaround

Now that we use GCC 10 for release builds, we no-longer need to
pass-Wl,-z,noexecstack to get a non-executable stack in RISC-V binaries.

This was originally removed in #21036, but then re-added in #21799, when
we reverted to using GCC 8.

* guix: use libtool 2.4.7

As of version 2.4.7, libtool now respects ARFLAGS, which we use, and has
changed the default ARFLAGS from cru to cr (which we also do, see
configure).

This eliminates spammy `ar` output such as:
```bash
  CXXLD    libunivalue.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  AR       libbitcoin_zmq.a
  AR       libbitcoin_consensus.a
  CXXLD    crypto/libbitcoin_crypto_base.la
  CXXLD    crypto/libbitcoin_crypto_sse41.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    crypto/libbitcoin_crypto_avx2.la
  CXXLD    crypto/libbitcoin_crypto_x86_shani.la
  CXXLD    leveldb/libleveldb.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    crc32c/libcrc32c.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  CXXLD    leveldb/libmemenv.la
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
/root/.guix-profile/bin/x86_64-linux-gnu-ar: `u' modifier ignored since `D' is the default (see `U')
  AR       libbitcoin_cli.a
```

Libtool 2.4.7 release notes:
https://lists.gnu.org/archive/html/autotools-announce/2022-03/msg00000.html

* guix: remove explicit glibc stack protector disabling

While glibc 2.25 and newer *can* be built with stack-smashing-protection
enabled, it isn't used by default, and still isn't, as of glibc 2.35,
so I can't see a reason to explicitly disable it.

I'd also like to move in the direction of enabling, by default,
hardening options for the toolchains we build, so removing the explicit
disabling is a step in that direction.

Will be following up with some changes based on this PR.

* guix: parallelize LIEF build

* guix: remove usage of -Wl,-z,noexecstack for PPC64 HOST

The PPC64 ABI has a non-executable stack by default, and does not need a
GNU_STACK program header.

See also:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/include/asm/page_64.h#n92

* guix: use LIEF 0.12.1

* guix: patch LIEF to fix PPC64 NX default

This patches our LIEF build using the change merged upstream:
https://github.com/lief-project/LIEF/pull/718.

This can be dropped the next time we update LIEF.

* guix: Map all guix store prefixes to /usr

Without ffile-prefix-map, the debug symbols will contain paths for the
guix store which will include the hashes of each package. However, the
hash for the same package will differ when on different architectures.
In order to be reproducible regardless of the architecture used to build
the package, map all guix store prefixes to something fixed, e.g. /usr.

* guix: Remove guix store paths from glibc

Without ffile-prefix-map, the debug symbols will contain paths for the
guix store which will include the hashes of each package. However, the
hash for the same package will differ when on different architectures.
In order to be reproducible regardless of the architecture used to build
the package, map all guix store prefixes to something fixed, e.g. /usr.

We might be able to drop this in favour of using --with-nonshared-cflags
when we being using newer versions of glibc.

* guix: use elfesteem 2eb1e5384ff7a220fd1afacd4a0170acff54fe56

Our patch has been merged upstream, see
https://github.com/LRGH/elfesteem/pull/3

* guix: patch gcc 10 with pthreads to remap guix store paths

* guix: Drop repetition of option's default value

* guix: enable SSP for RISC-V glibc (2.27)

Pass `--enable-stack-protector=all` when building the glibc used for the
RISC-V toolchain, to enable stack smashing protection on all functions,
in the glibc code.

* guix: pass enable-bind-now to glibc

Both glibcs we build support `--enable-bind-now`:
Disable lazy binding for installed shared objects and programs.
This provides additional security hardening because it enables full RELRO
and a read-only global offset table (GOT), at the cost of slightly
increased program load times.

See:
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html

* guix: enable hardening options in GCC Build

Pass `--enable-default-pie` and `--enable-default-ssp` when configuring
our GCCs. This achieves the following:

--enable-default-pie
	Turn on -fPIE and -pie by default.

--enable-default-ssp
	Turn on -fstack-protector-strong by default.

Note that this isn't a replacement for passing hardneing flags
ourselves, but introduces some redundency, and there isn't really a
reason to not build a more "hardenings enabled" toolchain by default.

See also:
https://gcc.gnu.org/install/configure.html

* guix: ignore additional failing certvalidator test

Similar to 85885919656a3f606f3d7f208378aabe95f3f62d.

```bash
ERROR: test_revocation_mode_soft (tests.test_validate.ValidateTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/test_validate.py", line 85, in test_revocation_mode_soft
    validate_path(context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 50, in validate_path
    return _validate_path(validation_context, path)
  File "/tmp/guix-build-python-certvalidator-0.1-1.a145bf2.drv-0/source/tests/../certvalidator/validate.py", line 358, in _validate_path
    raise PathValidationError(pretty_message(
certvalidator.errors.PathValidationError: The path could not be validated because the end-entity certificate expired 2022-07-27 12:00:00Z
```

* guix: patch NSIS to remove .reloc sections from install stubs

With the release of binutils/ld 2.36, ld swapped to much improved
default settings when producing windows binaries with mingw-w64. One of
these changes was to stop stripping the .reloc section from binaries,
which is required for working ASLR.

.reloc section stripping is something we've accounted for previously,
see #18702. The related upstream discussion is in this thread:
https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

When we switched to using a newer Guix time-machine in #23778, we begun
using binutils 2.37 to produce releases. Since then, our windows
installer (produced with makensis) has not functioned correctly when run on
a Windows system with the "Force randomization for images (Mandatory ASLR)"
option enabled. Note that all of our other release binaries, which all
contain .reloc sections, function fine under the same option, so it
cannot be just the presence of a .reloc section that is the issue.

For now, restore makensis to it's pre-binutils-2.36 behaviour, which
fixes the produced installer. The underlying issue can be further
investigated in future.

* doc: minor updates to guix README

* build: include share/rpcauth in tarball & installer

Fixes #19081.

* guix: use --build={arch}-guix-linux-gnu in cross toolchain

Technically we are always cross-compiling, so make that explicit.

Fixes: #22458.

* guix: consistently use -ffile-prefix-map

Aside from being the newer, more comprehensive option, it's what we
claim to use in the patch docs, and everywhere else in guix.

* guix: use git-minimal over git

From the git-minimal package definition:
> The size of the closure of 'git-minimal' is two thirds that of 'git'.
> Its test suite runs slightly faster and most importantly it doesn't
> depend on packages that are expensive to build such as Subversion.

We don't need any fancy / additional git functionality above the basics,
so switch to git-minimal and save some CPU, while also pruning the
greater dependency graph.

```diff
-name: git
+name: git-minimal
 version: 2.37.3
 outputs:
-+ send-email: see Appendix H
-+ svn: see Appendix H
-+ credential-netrc: see Appendix H
-+ credential-libsecret: see Appendix H
-+ subtree: see Appendix H
-+ gui: see Appendix H
 + out: everything else
-systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux i686-linux armhf-linux powerpc-linux
-dependencies: asciidoc@9.1.0 bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 docbook-xsl@1.79.2 expat@2.4.1 gettext-minimal@0.21 glib@2.70.2 libsecret@0.20.4 openssl@1.1.1l pcre2@10.37 perl-authen-sasl@2.16 perl-cgi@4.52
-+ perl-io-socket-ssl@2.068 perl-net-smtp-ssl@1.04 perl-term-readkey@2.38 perl@5.34.0 pkg-config@0.29.2 python@3.9.9 subversion@1.14.1 tcl@8.6.11 tk@8.6.11.1 xmlto@0.0.28 zlib@1.2.11
-location: gnu/packages/version-control.scm:222:2
+systems: x86_64-linux mips64el-linux aarch64-linux powerpc64le-linux riscv64-linux i686-linux armhf-linux powerpc-linux
+dependencies: bash-minimal@5.1.8 bash@5.1.8 curl@7.79.1 expat@2.4.1 gettext-minimal@0.21 openssl@1.1.1l perl@5.34.0 zlib@1.2.11
+location: gnu/packages/version-control.scm:608:2
 homepage: https://git-scm.com/
 license: GPL 2
 synopsis: Distributed version control system
```

* guix: Drop perl package

* Revert "guix: Build depends/qt with our platform definition"

This reverts commit dc4137a60c99979b89f75d2bddba96d043f387b8.

* MS: restclient start

* MS: bumped c++ version from 14 to 17

* only gitian build for linux x86_64 for now. We can add back aarch64 later when needed.

* Testing whether OSX SDK needs to updated for gitian building for c++17

* test if bitcoins last gitian-build method works with unigrid

* yaml format error

* updated darwin host file for py build gitian

* Update depends make to work with latest build

* update darwin builder for new gitian

* DOWNLOAD_RETRIES:=3 readded for curl

* linux host update gitian

* check in default depends

* upgrade dawrwin to 19

* use focal

* remove i686 windows gitian

* testing whether jammy has same compile error for osx cctools

* switch back to focal

* place guix in proper directory

* guix util file

* guix util file

* lief is failing on guix build. try a newer version

* change hash for lief

* try and downgrade lief

* lief hash

* update darwin to never xcode version and osx 10.15 minimum

* added missing native_clang depends

* test jammy build focal cannot find repos

* missing some jammy in build.py

* build with kinetic

* focal appears to be the only docker container that builds correctly

* test building with g++9 linux

* test if reverting to c++14 builds work

* upgrade build.sh to use focal base VM. Remove some uneeded dependencies for linux builds.

* use jammy for builds and test building with c++17 or 20 if available

* force c++17

* don't check clock_gettime by default

* docker still cannot find ubuntu jammy revert to focal

* fdelt is required

* aarch64 required to compile

* disable arm build

* test disable glib backward support

* darwin builds were missing libtapi. native_cdrkit replaced with xorriso.

* change order of native_libtapi

* libtapi and clang are split out of cctools

* darwin unable to find glibtoolize

* upgrading boost and remove references to specific darwin versions

* split boost into build/host

* boost fail build on linux

* define minimum required boost

* adding missing required boost libraries after updating boost version

* errors building with boost 1.73.0 revert back to 1.71.0

* wrong xcode version in darwin build

* up boost version to 1.73.0

* test building with boost 1.80.0

* remove unused dependency and set min boost version

* upgrading boost requires more refactoring

* test if building osx works with c++11

* c++11 build fails on the rest client test to see if c++17 resolves this error

* accidental edit of robin-hood submodule

* use 12.2 osx sdk

* use 12.2 osx sdk for gitian-builder

* proper cheksum of Xcode

* checksum was not correct

* remove downloaded sdk

* attempted build with boost 1.80

* revert to c++14 and downgrade boost

* configure.ac set c++14

* Ms restclient (#5)

* MS: Updated univalue lib to latest version. Fixed parsing of json from restclient

* ms: added -hport as an argument in for unigridd.

* ms: added mint class to handel values from hedgehog. did some cleanup.

* ms: fixed compilation error

* ms: rewrote the rest client so its now working and getting json data from hedgehog

* ms: removed auto keyword

* ms: changed return type to bool to check if data got tranferd as expected from hedgehog

* ms: reverted c++ version to 14 from 17

Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* set depends to build with c++11

* compile cc++ test update

* revert to old method of building boost that worked on OSX

* remove native_b2 ref

* remove native_cdrkit

* build ref for native_libtapi

* misisng endif

* try bitcoin boost build method

* errors compiling openssl with xcode 12.2 revert to 12.1

* test if old gitian build works with rest client update

* revert boost to old build

* reverting native cc tools build

* revert depends make to master

* missing cdrkit added

* cdrkit in wrong directory

* revert darwin host

* remove updated gitian build script from this branch. If we decide to stick with gitian this can be pulled from the EG_uposx_12_1 branch.

Co-authored-by: Carl Dong <contact@carldong.me>
Co-authored-by: fanquake <fanquake@gmail.com>
Co-authored-by: W. J. van der Laan <laanwj@protonmail.com>
Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Andrew Chow <achow101-github@achow101.com>
Co-authored-by: Pieter Wuille <pieter@wuille.net>
Co-authored-by: h <harshit_goyal333@outlook.com>
Co-authored-by: jonatack <jon@atack.com>
Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc>
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>
Co-authored-by: josibake <josibake@protonmail.com>
Co-authored-by: Stacie <staciewaleyko@gmail.com>
Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* refactor of masternode to gridnode. Init will check for masternode.conf and rename the file to gridnode.conf on startup.

* having issues with the ubuntu bionic installs. try with ubuntu jammy

* remove uneeded break as we are not looping through strings anymore

* increase GLIBC version for newer OS building

* A complete refactor of the repo, to update Unigrid's naming convention of gridnodes instead of masternodes.

* refactor additions for gridnodes vs masternodes

* spelling error Gridnodeconfig

* SPORK_20_UNDONKEY_MNREWARDS refactored :D

* set build environment to bionic for gitian

Co-authored-by: Carl Dong <contact@carldong.me>
Co-authored-by: fanquake <fanquake@gmail.com>
Co-authored-by: W. J. van der Laan <laanwj@protonmail.com>
Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Andrew Chow <achow101-github@achow101.com>
Co-authored-by: Pieter Wuille <pieter@wuille.net>
Co-authored-by: h <harshit_goyal333@outlook.com>
Co-authored-by: jonatack <jon@atack.com>
Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc>
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>
Co-authored-by: josibake <josibake@protonmail.com>
Co-authored-by: Stacie <staciewaleyko@gmail.com>
Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>

* build environment should be bionic

* fix compiler error for unsupported c++

* target is needed here

* move CheckIfLockPeriodIsActive where bools are declared

* remove {} from return

* ms: last check for minted amount added.

* remove broken code

* ms: changed colleteral amount to 2000.

* ms: started working out a way to start a new chain to test

* set start time for zerocoin in the future so testnet does not look for it at the start

* pass chain height to get best block

* remove duplicate regtest

* height is a method

* missing )

* add echo

* log chain height

* height is -1 at the start

* pass height to assert

* assert only if not on genesis

* or on assert check

* asset if -1 is true

* print blockhash

* accidental overwrite in last commit

* output GetBestBlock

* convert best block to string

* print cacheCoins

* print cacheCoins

* tray creating coins view with blockhash -1

* misc

* ignore assert for flush if block height -1

* move initialize calls before InitBlockIndex

* undo last commit

* getting test net working

* ms: uncommented stuff

* refactor the test file to unigrid

* hard code in a testnet seed node

* vSeeds needs to clear for testnet

* adding two hard coded seed nodes for testnet

* refactor all Gridnode names in rpc to gridnode

* set testnet to mine up to block 2000 and lower gridnode collateral to 10

* update chainparams with devPubKey and set max coins the same value as mainnnet

* set gn amount to 100

* use Params().GridnodeCollateral() for gn collateral

* change max money out back to testnet defaults

* set max money out at 25000000000 there appears to be a pre-mine on first gridnode reward

* set testnet node collateral to the same as mainnnet. Also the max money out.

* removing code referencing bitcoin blocks

* set mainnet back to current collateral

* fix bootstrap download

* update download bootstrap check

* added a line break as removing the addnodes placed unigridstake on the same line as the rpcpassword

* last pow testnet 20 and comment out block rewards for testnet

* set downloadBootstrap to false if passed in as the value is never set

* switch check flag for download

* add some outputs on what is happening with the bootstrap download

* reverse download check

* set flag for download only true

* log nobootstrap arg

* only check for bootstrap if not testnet

* lower block maturity and increase mining to 30 blocks

* ms: got testnet staking

* set last POW to 50 as modern cpus will mine the last block too fast

* ms: fixed overflow error in amount in mint.

* test whether staking still works with gridnodeSync

* change addnode to connect. We don't want this test network connecting to the main networks.

* script was tring to remove swipp items instead of unigrid

* force return of GRIDNODE_SYNC_FINISHED for testnet so we can start staking

* skipping this check stakes although it never returns staking is active. It also likely breaks gn payments for testnet.

* set nGridnodeCountDrift to 0 on testnet

* Keep exact input amount for GN for now. There is another place the daemon checks which breaks them if its the wrong input.

* find all other locations collateral is checked

* test if this ignores gnsync on testnet

* place the gnsync check in the actaul call so all checks determine whether we are testnet or not

* test coin control with create transaction

* add reference to coinControl

* add coincontrol.h to rpc wallet

* remove log for return key

* print wtx.strFromAccount

* comment out destChange

* added a call to get local addresses in a map. SOme notes on how to handle locking minted tokens in wallet.cpp

* ms: changed how we add the mint to transaction index

* checking loadBlockIndex was removed for some reason in an earlier commit

* comment out isTimeToMint to test if this is causing a full reindex

* add back old assert assert(hashPrevBlock == view.GetBestBlock())

* remove log spam of block info

* set hashBlock back to -1

* skip check block to see if the issue is here

* broken log

* CheckBlock is not the issue

* ms: changes in create transactions to lock transactions from minted addresses

* disable setting genesis to test mainnet

* log loading block from disk

* update log

* move setbest block to the end

* only check GetHash for testnet as mainnet does not need this

* added coin control if we are sending to a local address that is locked

* ms: added checks to stop transactions from minted addresses

* the numbers here cannot change for mainnet as they are required to confirm old blocks

* ms: removed log prints that spamed the log. change a if statment to specificly only allow transfers to the minted address from a minted address

* two different asserts for main and testnets

* test whether syncing works mainnet

* set genesis to view if there is a match

* add a line break on exception here

* ms: fixed shutdown when not finding hedgehog.

* ms: small changes to handel when hedgehog dosent have any mint data yet

* disable shutdown for test

* return true for checktx on lock to test

* test getbestblock

* only check prev block for testnet as this is interfering with mainnet sync

* revert MAIN to old method of checking previous block

* redo order in init loading block index

* regorg init block index

* test InitBlockIndex after pcoin

* block index was checking twice

* disable shutdown to see if mainnet actually syncs

* disable log for waiting to mint

* disable spam from calling cli

* only output true for time to mint

* test if the order here was what causes testnet to not start

* remove commented code. if used it breaks testnet starting properly.

* MS: changed how no connecting hedgehog workes. it will wait for one minut for connection and if its not getting a connection it will shutdown. if connection is estableched it will processed as it should.

* MS: small change to CheckIsLockPeriodIsActive

* MS: Done some change to make the daemon play ball with hedgehog

* Create a new protocol version for this next release. Check with hedgehog over the rest client whether any new sporks have been created. If yes then we need to force all old protocols off the network.

* need to add the restclient object

* modify the hasMintingSpork call to use the same method as getdatafromrestserver

* try printing the size of the response

* adding some debuig logs

* test this rest call to hedgehog

* skip calling the rest client to see if the error is there

* wrap check in a try catch to see if we get an error

* MS: removed log prints that fills up the log

* MS: changed the mint spork check to handel an emtpty return list.

* search for the correct OSX SDK being used

* correct osx sdk

* min osx version bump

* bump boost 1.73

* remove boost test

* update from master

* remove cclang packages

* minimal boost install

* clang

* have to build boost

* place test at end of boost built

* min boost ver

* attempt to compile using what worked in master

* test if this gitian build that works can compile boost 1.73

* fix for boost 1.73

* remove throw error stopping the daemon from shutting down

* remove the catch causing a boost error to be thrown

* add some debug logs to find where boost is failing

* place the log before the trys

* see if boost requires this

* check if boost 1.73 is the issue

* boost 1.73 and dont start a shutdown

* skip checking for sporks

* re-enable checking for minting sporks as this did not solve the syncing issue

* check if the protocol version is causing sync issues

* test if check lock period even works

* skip checking lock period

* check whether commenting out get best block works here

* revert

* found the sync problem I believe

* fix syncing issue that happened from a bad commit at bf89a5f

* fixing openssl errors caused by an old version while boost asio is requiring a newer version.

* skip checking for sporks as it always returns 3 so will not connect to node. Set correct flag for checking tx for mints.

* this one also needs to only return if true

* remove debug logs

* MS: changed some logic. uncommented checkspork for test. changed test.sh to use the correct port

* Working on fix for memory leak

* MS: fixed a memory leak in CDataStreams that became apperent when running testnet.

* osx gitian failing on boost... again

* attempt to build with bjam and toolset

* check if the dash build method works any differently

* ignore boost tests

* darwin toolset

* boost 1.71

* boost 1.71 is the same issue

* one diff between working and not

---------

Co-authored-by: Fim-84 <marcus.stenberg@gmail.com>
Co-authored-by: Carl Dong <contact@carldong.me>
Co-authored-by: fanquake <fanquake@gmail.com>
Co-authored-by: W. J. van der Laan <laanwj@protonmail.com>
Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
Co-authored-by: Andrew Chow <achow101-github@achow101.com>
Co-authored-by: Pieter Wuille <pieter@wuille.net>
Co-authored-by: h <harshit_goyal333@outlook.com>
Co-authored-by: jonatack <jon@atack.com>
Co-authored-by: Jeremy Rand <jeremyrand@airmail.cc>
Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>
Co-authored-by: josibake <josibake@protonmail.com>
Co-authored-by: Stacie <staciewaleyko@gmail.com>